Samba 4 Public Share Configuration: Fixing “Invalid Security=share” Error and Anonymous Access Setup


1 views

If you've recently upgraded to Samba 4 and found your public shares suddenly requiring authentication, you're not alone. The security model has evolved, and the old security = share parameter that worked in Samba 3 is now deprecated. Here's what's happening under the hood:


# Old Samba 3 style (no longer works)
security = share

The new approach uses security = user combined with proper guest account mapping:


[global]
    workgroup = MYGROUP
    server string = Samba Server
    netbios name = SERVER
    security = user
    map to guest = bad user
    guest account = nobody
    log file = /var/log/samba/log.%m
    max log size = 50

For each public share, you'll need to explicitly configure guest access:


[PublicMedia]
    path = /mnt/media
    browsable = yes
    writable = no
    guest ok = yes
    public = yes
    only guest = yes
    force user = nobody
    force group = nogroup
    create mask = 0644
    directory mask = 0755

Even with correct Samba config, you might hit permission issues:


# Set proper filesystem permissions
sudo chown -R nobody:nogroup /mnt/media
sudo chmod -R 0755 /mnt/media

# For SELinux systems
sudo chcon -t samba_share_t /mnt/media
sudo setsebool -P samba_export_all_ro on

After making changes, verify your configuration and test access:


# Check config syntax
testparm

# Restart services
sudo systemctl restart smb
sudo systemctl restart nmb

# Test local access
smbclient -L localhost -N
smbclient //localhost/PublicMedia -N -c "ls"

For setups needing both authenticated and guest access:


[MixedShare]
    path = /mnt/shared
    browsable = yes
    guest ok = yes
    read only = yes
    write list = @smbusers
    valid users = @smbusers, nobody
    inherit permissions = yes

After upgrading to Samba 4, many users encounter the warning message: WARNING: Ignoring invalid value 'share' for parameter 'security'. This occurs because Samba 4 has officially deprecated the legacy security = share parameter that was commonly used for anonymous access shares.

The recommended replacement uses security = user combined with guest access mapping:

[global]
    workgroup = WORKGROUP
    server string = Samba Server
    netbios name = SERVER
    security = user
    map to guest = Bad User
    guest account = nobody

For read-only public shares:

[PublicMedia]
    path = /mnt/media
    browsable = yes
    read only = yes
    guest ok = yes
    guest only = yes
    force user = nobody
    force group = nogroup

For writable public shares:

[PublicUpload]
    path = /mnt/uploads
    browsable = yes
    read only = no
    guest ok = yes
    guest only = yes
    create mask = 0666
    directory mask = 0777
    force user = nobody
    force group = nogroup

Ensure your filesystem permissions match the Samba configuration:

sudo chown -R nobody:nogroup /mnt/public
sudo chmod -R 0777 /mnt/public  # For writable shares

If access issues persist:

  1. Check SELinux status: setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
  2. Verify firewall rules: sudo firewall-cmd --add-service=samba --permanent
  3. View detailed logs: tail -f /var/log/samba/log.*